Skip to main content

Billboard.Js CVE-2026-1513

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-01-28 cve@navercorp.com GHSA-rpc5-pm7q-hjmp
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 28, 2026 - 02:16 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 37 npm packages depend on billboard.js (23 direct, 14 indirect)

Ecosystem-wide dependent count for version 3.18.0.

DescriptionCVE.org

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.

AnalysisAI

Cross-site scripting (XSS) in Billboard.js versions before 3.18.0 enables remote attackers to inject and execute arbitrary JavaScript through inadequately sanitized chart configuration options, affecting any application using the vulnerable library. The attack requires user interaction but can compromise confidentiality and integrity of affected web applications. No patch is currently available.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Billboard.Js. billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-1513 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy